Secure Web Development: A Quick Start Guide

Authentication

Do 

๐Ÿ—ธ Use pre-existing authentication providers and SSO solutions

Do not

⨯ Implement custom authentication
⨯ Implement custom encryption of user credentials


Authorization

Do

๐Ÿ—ธ Base authorization decisions on user identity
๐Ÿ—ธ Implement authorization centrally


Clickjacking

Do 

๐Ÿ—ธ Send the X-Frame-Options header with all responses (e.g. set the value to SAMEORIGIN)

Do not

⨯ Allow the pages to be displayed in a frame


Client-side data

Do

๐Ÿ—ธ Consider encrypting data stored on the client

Do not 

⨯ Store private data on the client (i.e. on the browser)



Cookies

Do

๐Ÿ—ธ Set all cookies as secure when over https
๐Ÿ—ธ Set all cookies as HTTPOnly

Do not

⨯ Store state in cookies
⨯ Trust any data stored in cookies



Cross-origin resource sharing (CORS)

Do not

⨯ Use JSONP
⨯ Use 'Access-Control-Allow-Origin' *


Cross-Site Request Forgery (CSRF)

Do 

๐Ÿ—ธ Implement a standard protection (e.g. double-posting)

Cross-Site Scripting (XSS)

Do 

๐Ÿ—ธ Use functions as parameters when calling setTimeout() & setInterval()
๐Ÿ—ธ Encode all user supplied input when rendered into the HTML.

Do not

⨯ Use eval()


Data security

Do 

๐Ÿ—ธ Encrypt all data when it is 'at rest' (e.g. in a file, cache, database, service bus)
๐Ÿ—ธ Encrypt data when it is moving between processes
๐Ÿ—ธ Applied good database security practices


Denial of service (DoS)

Do

๐Ÿ—ธ Restrict unauthenticated activity using captchas
๐Ÿ—ธ Restrict a list of returned results for any query to hard coded limit
๐Ÿ—ธ Implement paged results

Beware of

⚠ High CPU and memory load associated with specific user interactions


Directory traversal

Do

๐Ÿ—ธ Implement input validation
๐Ÿ—ธ Reference files by id, rather than by name
๐Ÿ—ธ Validate user supplied filenames and paths


File upload/download

Do

๐Ÿ—ธ Add the header 'X-Content-Type' with nosniff
๐Ÿ—ธ Restrict the types of files that can be uploaded
๐Ÿ—ธ Run a virus scanner on uploaded files
๐Ÿ—ธ Consider directory traversal defenses
๐Ÿ—ธ Require authentication of the user uploading and downlaoding files
๐Ÿ—ธ Consider encrypting the files if they are stored on disk


Information disclosure

Do 

๐Ÿ—ธ Remove all unnecessary http headers
๐Ÿ—ธ Restrict search engine discovery via robots.txt

Do not

⨯ Display verbose error messages


SQL Injection (SQLi)

Do 

๐Ÿ—ธ Use ORMs such as Hibernate, NHibernate & Entity Framework
๐Ÿ—ธ Use parameterised queried
๐Ÿ—ธ Use stored procedures

Do not

⨯ Concatenate strings
⨯ Use sp_executesql

Beware of

⚠ Custom queries in ORMs


Stored Cross-Site Scripting

Do 

๐Ÿ—ธ Validate all user supplied text against a whitelist of valid characters
๐Ÿ—ธ Encode all user supplied input when rendered into the HTML.



General

Do 

๐Ÿ—ธ Remove obsolete and unused code
๐Ÿ—ธ Validate all input including query string parameters
๐Ÿ—ธ Implement logging
๐Ÿ—ธ Defend against log poisoning


Comments

Post a Comment